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The  United  States’  reliance  on  computers  and  the  Internet  for  everything,  from  banking  to  military 
command  and  control,  has  made  the  nation’s  information  infrastructure  highly  vulnerable  to  infiltration  and 
sabotage  from  a  multitude  of  threats.  This  vulnerability  is  the  “Achilles  Heel”  of  U.S.  global  power  and  will 
be  a  major  security  challenge  for  the  21st  Century.  If  the  United  States  does  not  improve  its  ability  to 
defend  against  information  attacks,  it  may  fall  victim  to  a  new  and  more  destructive  type  of  war,  “Infowar." 
Although  the  government  has  taken  the  lead  to  protect  its  information  infrastructure  through  several 
initiatives,  there  must  be  cooperative  efforts  between  the  government,  industry,  and  private  agencies 
working  together  as  a  team  to  protect  this  critical  “Center  of  Gravity.”  For  the  United  States  to  adequately 
protect  its  information  infrastructure  against  a  myriad  of  threats,  it  must  identify  its  vulnerabilities  and  put 
“teeth”  into  its  defensive  information  warfare  policy. 
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Invincibility  depends  on  one’s  self;  the  enemy’s  vulnerability  on  him. 

—  Sun  Tzu 

If  we  are  to  continue  to  enjoy  the  benefits  of  the  Information  Age,  preserve  our  security, 
and  safeguard  our  economic  well-being,  we  must  protect  our  critical  computer-controlled 
systems  from  attack. 

—  President  William  J.  Clinton 

PROTECTING  THE  UNITED  STATES  AGAINST  INFORMATION  WARFARE 

The  United  States  is  now  embarking  on  a  new  and  potentially  more  destructive  kind  of  war -“The 
Infowar."  This  is  war  fought  by  using  computers  and  networks  devoid  of  physical  boundaries  and 
comprising  many  threats  to  our  critical  information  infrastructure.  Every  day  in  America  there  are 
thousands  of  unauthorized  attempts  to  gain  access  to  key  government  and  industry  networks,  defense 
facilities,  government  agencies  and  civilian  telephone  and  transportation  systems.1  All  one  has  to  do  is 
pick  up  a  newspaper  and  read  the  headlines  such  as,  "Bank  Losses  Put  at  Millions  in  Computer  Break-in" 
or  "Hackers  Disrupt  Telephone  Service,"2  to  realize  that  the  United  States  needs  a  cooperative  effort  of 
the  government,  private  industry  and  citizens  to  combat  this  menace  to  our  way  of  life. 

DEPENDENCE  ON  INFORMATION  NETWORKS 

The  predominantly  privately  owned  and  operated  National  Information  Infrastructure  (Nil)  is  what 
many  consider  the  “Achilles  Heel”  of  the  nation  in  our  Infowar  fight.  The  Nil  was  originally  designed  to  be 
a  system  of  high-speed  telecommunications  networks,  databases,  and  advanced  computer  systems  that 
make  electronic  information  widely  available  and  accessible.3  The  Nil  was  designed  and  built  for  the 
private  sector,  but  the  government  is  also  a  significant  user  of  the  Nil.  In  fact,  95  percent  of  DoD’s 
unclassified  data  traffic  flows  over  the  nation’s  information  infrastructure.4  The  nation  now  depends  on 
interlinked  information  systems  to  conduct  business.  Today  there  are  few  entities  that  don’t  use  the 
nation’s  information  infrastructure  in  some  capacity.  Manufacturers,  transportation  providers,  financial  & 
banking  institutions,  federal,  state,  and  local  government,  the  military,  and  even  private  citizens  “surfing” 
the  web  or  sending  e-mail,  all  use  the  Nil. 

There  are  many  reasons  why  the  Nil  has  grown  over  the  years.  Producers  and  suppliers  can  use 
electronic  links  to  lower  costs  by  reducing  inventories.5  It  has  also  been  a  profitable  and  more  reliable 
means  of  transferring  information.  As  late  as  ten  years  ago,  a  company  would  have  to  send  a  letter  via 
Federal  Express  or  use  slower  mail  service.  If  an  immediate  transmission  of  the  letter  was  necessary,  the 
company  would  have  to  rely  on  a  fax  machine.  Today,  it  could  be  as  simple  as  e-mailing  the  information 
or  posting  it  on  a  company’s  web  site  for  download.  E-commerce  has  grown  at  a  tremendous  rate  as  a 
result  of  the  Nil.  From  1995  to  1999,  on-line  dollar  growth  increased  from  $450  Million  to  $6.1  Billion.6 
Today,  you  see  many  ads  dealing  with  on-line  trading  of  stocks.  Ten  years  ago,  that  would  have  been 


unthinkable.  However,  it  is  this  changing  of  the  information  paradigm  that  has  increased  the  Nil 
vulnerability  to  attack.  It  is  the  disruption  or  intrusion  of  the  Nil  by  several  potential  protagonists  that 
causes  the  most  concern  and  puts  the  National  Information  Infrastructure  at  risk. 

POTENTIAL  CYBERATTACK  PROTAGONISTS 

The  threat  spectrum  is  composed  of  several  different  types  of  adversaries.  They  range  from 
nation-state  actors  to  recreational  hackers.  Each  adversary  has  a  motive  for  conducting  cyberattacks 
against  the  United  States. 

NATION-STATES 

On  the  high  end  of  the  threat  spectrum  there  are  several  nations  developing  information  warfare 
capabilities  against  the  United  States.  These  nation-states  have  three  main  objectives  for  infiltrating  the 
United  States’  critical  infrastructures:  assist  government-sponsored  companies  in  acquiring  an  advantage 
over  U.S.  competitors;  damage  the  economic  stability  of  our  nation  by  targeting  our  financial  or  industrial 
resources;  or  damage  our  national  security  by  conducting  military  or  intelligence  operations.7  China  and 
other  countries  have  already  begun  to  focus  on  the  United  States’  computer  network  as  a  target  for 
information  attacks  in  an  attempt  to  cripple  the  U.S.  information  flow  capability.8 

At  least  five  other  nations  (Syria,  Iran,  India,  Pakistan  and  Israel)  have  active  groups,  paid  by  their 
governments,  trying  to  formulate  tools  and  procedures  to  cause  computer  terrorism  in  U.S.  corporations.9 
In  fact,  today,  over  60  percent  of  university  degrees  in  Computer  Science  are  given  to  students  from 
developing  countries,  with  a  vast  majority  of  those  students  coming  from  Islamic  countries.10 

CRIMINALS 

The  potential  use  of  cyberattacks  by  organized  crime  groups,  both  domestic  and  international,  is 
an  immediate  and  increasing  concern  for  the  United  States.  Over  the  past  five  years,  more  than  72 
■percent  of  United  States  corporations  found  an  increased  security  threat  to  their  data.1 1  A  1999  FBI 
survey  revealed  that  from  1997  to  1999,  computer  crimes  cost  United  States’  corporations  over  $360 
Million.12 

Criminals  are  exploiting  high  technology  for  a  variety  of  purposes,  not  the  least  of  which  is 
financial  gain.  The  biggest  targets  appear  to  be  credit  card  companies,  telephone  companies  and 
financial  institutions.  For  example,  in  1994,  there  was  an  attack  against  Citibank’s  computers  by  a 
Russian  based  organized  crime  ring  which  resulted  in  a  theft  of  over  $12  Million.13 

HACKERS 

The  majority  of  computer  intrusions  and  disruptions  to  the  nation’s  computer  system  come  from 
hackers.  At  one  time,  hackers  were  characterized  as  computer-sawy  teenagers  and  over-zealous 
programmers  who  harmlessly  infiltrated  networks  and  computers  to  prove  their  computer  skills,  and 
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thought  of  hacking  into  government  computer  networks  as  a  game.  They  regarded  these  infiltrations  as 
their  civic  responsibility  to  uncover  security  flaws. 

Recently,  hackers  have  begun  to  infiltrate  computer  systems  for  profit  and  many  have  become 
“hacktivists”  using  their  hacking  skills  to  deface  government  web  pages  or  render  sites  unusable  in  order 
to  send  a  message  of  revenge  or  protest.  Examples  of  some  of  the  targeted  sites  have  been;  The  White 
House,  Congress,  DoD,  Federal  Agencies,  and  even  the  FBI.  Their  ability  to  cause  significant  damage  is 
becoming  more  and  more  viable  and  could  get  increasingly  more  dangerous. 

TERRORISTS 

Terrorists  in  the  past  have  sought  to  conduct  violent  acts  against  non-combatant  targets  with  the 
intent  to  influence  an  audience.  Traditionally,  terrorism  is  defined  as  the  systematic  use  of  violence  as  a 
means  to  intimidate  or  coerce  societies  or  governments.  Typically,  this  has  occurred  through  bombings  or 
other  attacks  on  targets  with  high  profiles,  or  that  raise  significant  media  attention,  or  that  symbolize  the 
government  or  ideology  to  which  the  terrorist  organization  is  opposed.  However,  the  opportunities 
afforded  by  information  warfare  techniques  have  now  provided  terrorists  greater  tools  to  inflict  fear  into  a 
civilian  population  or  wreak  havoc  throughout  targeted  institutions.  In  his  book,  War  and  Anti-war.  Toffler 
believed  it  was  now  possible  for  a  Hindu  fanatic  in  Hyderabad  or  a  Muslim  fanatic  in  Madras  or  even  a 
deranged  “nerd’  in  Denver  to  cause  immense  damage  to  people,  countries,  and  even  armies  10,000 
miles  away.  A  report  of  the  National  Research  Council  revealed  that,  “Tomorrow’s  terrorist  may  be  abie 
to  do  more  damage  with  a  keyboard  than  with  a  bomb.”14 

Recently,  a  top  Japanese  cyberterrorism  and  crime  expert,  Raisuke  Miyawaki,  predicted  that  it  is 
"only  a  matter  of  time"  before  all  nations  experience  the  first  cyberattack  on  a  worldwide  scale.  He  also 
called  cyberterrorism  one  of  the  two  top  post-Cold  War  problems  the  world  faces,  with  the  other  being 
organized  crime.15 

INSIDERS 

Insiders  may  be  the  greatest  threat  to  our  critical  information  infrastructure.  It  is  the  insider  who  is 

likely  to  have  the  best  understanding  of  an  organization's  culture  and  the  greatest  knowledge  about  the 

operations  of  an  infrastructure  and  its  supporting  systems. 16  At  least  70  percent  of  intrusions  come  from 

inside  an  organization.17  The  insider  threats  can  include  disgruntled  workers,  paid  informants, 

compromised  or  coerced  employees,  former  employees,  and  business  associates  motivated  to  plan  and 

10 

conduct  attacks  for  reasons  such  as  revenge,  financial  gain,  and  fear.  Gary  Hayward  and  Stewart 
Personick  in  their  article,  “Protecting  the  Infrastructures  of  the  Information  Age,”  suggest  through  the 
following  “fictional”  scenario,  how  an  insider  with  the  right  access  could  create  havoc  and  threaten  the 
nation’s  information  infrastructure. 

Kathy  was  a  bright  computer-science  graduate  who  worked  at  a  major  software  firm  whose 
applications  were  used  by  tens  of  millions  of  individuals  and  corporations  worldwide.  Within  a  few  years, 
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Kathy  gained  a  position  of  considerable  responsibility  in  the  company's  software  configuration- 
management  operation.19  Unfortunately  the  company  was  unaware  that  Kathy  was  also  a  member  of  a 
political  group  that  was  ready  to  make  its  agenda  known  to  the  world.  Kathy  took  the  opportunity  to  use 
her  access  privileges  to  plant  a  piece  of  sophisticated,  malicious  code  in  the  latest  release  of  her  firm’s 
most  popular  software  application  which,  when  loaded  on  computers,  created  havoc  worldwide.20  This 
scenario  of  a  "trusted  user”  unfortunately  is  not  too  far  fetched  and  could  happen  any  day. 

In  summary,  there  is  no  shortage  of  potential  threats  to  the  United  States.  They  can  be  foreign  or 
domestic,  internal  or  external,  state-sponsored  or  a  single  rogue  element,  terrorist,  insiders,  disgruntled 
employees  or  hackers.  Unfortunately,  as  technology  has  advanced  over  the  past  two  decades,  so  have 
the  tools  and  techniques  of  those  who  attempt  to  break  into  systems.  Figure  2  shows  how  the  technical 
knowledge  required  by  an  attacker  decreases,  as  the  sophistication  of  the  tools  and  techniques 
increases.21 


Sophistication  of 


FIGURE  1 .  ATTACKERS  REQUIRE  LESS  KNOWLEDGE  AS  TOOL  SOPHISTICATION  INCREASES 

NATION  UNDER  SIEGE 

Infowar  has  already  begun  to  take  place  against  the  nation’s  information  infrastructure.  No  one  is 
immune  from  computer  attack.  The  threat  is  real.  Consider  the  following  incidents  of  possible 
cyberattacks  against  three  different  sectors  as  cited  in  President  Clinton’s  National  Plan  for  Information 
Systems  Protection: 

1)  “Two  of  America’s  largest  cities  have  their  91 1  service  disrupted,  causing  confusion,  slow 
response,  and  potentially,  needless  deaths.”22 
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2)  “Widespread  intrusions  into  Army,  Navy,  Air  Force,  and  DoD  logistics  and  support  computer 
systems  are  discovered  during  the  middle  of  our  February  1998  confrontation  with  Iraq.  There  is  no  clear 
idea  where  the  intrusions  were  coming  from,  how  long  they  had  been  occurring,  or  what  information  had 
been  removed  or  compromised.”23 

3)  “A  new  computer  virus  moves  rapidly  across  the  Internet,  overloading  systems  with 
superfluous  e-mails  and  shutting  down  major  portions  of  corporate  and  government  systems.”24 

The  Defense  Information  Systems  Agency  (DISA)  estimates  that  DoD  is  attacked  about  250,000 
times  per  year  in  which  only  1  in  500  attacks  are  detected  and  reported.25  In  the  civilian  sector,  Figure  2 
illustrates  known  computer  intrusions  monitored  by  The  Computer  Emergency  Response  Team  (CERT) 
which  shows  a  dramatic  increase  of  computer  intrusions  from  six  in  1988  to  8,268  in  1999.26 
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FIGURE  2.  CERT  TRACKED  COMPUTER  INTRUSIONS 


The  cost  of  these  attacks  against  the  private  sector  reached  over  $123  Million  in  1999.27  The  FBI's 

28 

caseload  for  computer  hacking  and  network  intrusions  has  doubled  each  of  the  last  two  years.  A  recent 
survey  of  over  520  U.S.  corporations,  government  agencies,  financial  institutions  and  universities 
conducted  by  the  Computer  Security  Institute  revealed  that  64  percent  suffered  an  intrusion  or  other 
unauthorized  use  of  computer  systems,  25  percent  reported  denial  of  service  attacks,  24  percent  reported 
system  penetration  from  the  outside,  18  percent  reported  theft  of  proprietary  information,  14  percent 
reported  sabotage  of  data  or  networks  and  72  percent  suffered  financial  losses  due  to  computer  security 
breaches,  including  computer  viruses.29 

The  defense  is  only  as  strong  as  its  weakest  link,  and  in  this  case,  the  most  likely  weak  link  in  the 
information  infrastructure  is  the  increased  reliance  on  the  Internet  and  the  relatively  weak  network 
security  in  the  civilian  and  industrial  sector. 
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VULNERABILITIES 


INTERNET 

It  is  amazingly  simple  how  hackers  are  able  to  infiltrate  the  nation’s  information  infrastructure.  One 
of  the  most  critical  portions  of  the  Nil  is  the  Internet. 


Internet  Domain 
Hosts 


Source:  Internet  Software  Consortium  (http://www.isc.org/) 

FIGURE  3.  INTERNET  DOMAIN  SURVEY  HOST  COUNT 

The  Internet  has  become  the  single  biggest  breakthrough  in  telecommunications  since  the 
telephone.  Figure  3  shows  the  rapid  growth  in  Internet  domain  hosts  from  376,000  in  January  1991  to 
just  over  72  million  in  January  2000. 30 

However,  the  Internet’s  growth  was  spurred  on  by  increased  demand  without  much  regard  for 
security.  This  lack  of  security  measures  makes  the  Internet  very  vulnerable  to  attack.  The  Internet’s 
multiple  points  of  access  have  yielded  multiple  points  of  vulnerability.31  The  Internet  as  the  pipeline  for 
information  flow  has  many  vulnerable  nodes  in  which  a  hacker  can  penetrate.  It  is  the  seamless  linkage 
between  telecommunications  networks  (MCI,  Sprint,  AT&T,  etc.),  local  networks  and  Internet  service 
providers  that  has  made  the  Internet  a  lucrative  target  for  penetration  attempts  and  could  cause 
significant  damage  or  disruption  to  the  Nil.  It  is  this  vulnerability  that  has  the  United  States  concerned,  as 
we  become  increasingly  dependent  on  the  Internet  for  communications.32  Unlike  physical  attacks  to 
infrastructure,  a  cyberattack  against  a  site  in  Washington  D.C.  could  be  conducted  from  anywhere  in  the 
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world  through  the  Internet.  It  is  this  difficulty  to  adequately  trace  these  attacks  that  has  the  government 
and  private  sector  concerned  about  the  protection  of  the  Nil. 

There  are  several  means  in  which  a  cyberattack  can  achieve  its  desired  effect.  Viruses,  network 
worms,  Trojan  horses,  logic  bombs  and  other  types  of  automated  attack  could  disrupt  the  operations  of 
thousands.  There  have  been  several  examples  of  these  types  of  attacks  on  the  Nil. 

VIRUSES 

A  hacker  can  infiltrate  the  Nil  by  producing  a  virus  throughout  the  system.  Viruses  represent  the 
number  one  cause  for  shutting  down  networks  and  computer  systems.  In  one  year,  64  percent  of 
companies  around  the  world  were  hit  by  at  least  one  virus.33  The.biggest  two  viruses  to  hit  the  streets 
.were  Melissa  and  Worm.  Riding  the  Internet,  these  viruses  affected  e-mail  systems,  clogged  networks 
and  in  some  cases  destroyed  data  worldwide.34  Without  adequate  antivirus  software,  computers  and 
networks  had  to  be  reconfigured  or  even  shut  down  for  days  and  even  weeks  until  they  were  repaired. 

UNAUTHORIZED  NETWORK  ENTRY 

One  of  the  easiest  ways  to  infiltrate  the  Nil  is  through  weak  password  protection.  An  untrained  or 
careless  system  administrator  who  has  root  access  can  inadvertently  provide  the  hacker,  who  would  gain 
access  through  the  use  of  cracking  software,  the  ability  to  obtain  the  unsuspecting  system  administrator’s 
password.  Once  in  possession  of  the  password,  the  hacker  now  has  in  essence  the  “keys’  to  the 
network.  With  this  unlimited  access  to  the  network  computers,  the  hacker  now  has  the  ability  to  create 
havoc  throughout  the  network.  The  amount  of  damage  and  disruption  could  be  devastating.  For  example, 
Greenwich  Associates,  a  financial  research  and  consulting  firm,  had  its  network  broken  into  by  an  intruder 
using  a  stolen  password.  With  this  password,  the  intruder,  believed  to  be  a  former  employee,  was  able  to 
gain  network  access  and  delete  some  of  the  company’s  research  information.35  Poorly  chosen 
passwords  are  the  weak  link  in  computer  security.  To  reduce  successful  hacking  and  infiltration  attempts 
into  computer  and  network  systems,  it  is  critical  that  private  sector  and  government  agencies  establish 
and  maintain  an  aggressive  password  security  program  and  provide  system  administrators  the  proper 
training  and  support. 

NOT  READY  FOR  PRIMETIME  SOFTWARE 

Another  problem  that  has  been  uncovered  is  buggy,  commercial,  off  the  shelf  software.  In  order  to 
compete  in  the  dynamic  software  market,  software-manufacturing  companies  will  ship  faulty  software  to 
companies  and  government  agencies.  They  will  then  provide  updates  through  patches  to  fix  the 
problems.  Unfortunately,  this  software  could  easily  have  a  bug  that  could  cause  a  hole  in  security.  In 
fact,  from  August  1999  to  February  2000,  Microsoft  released  47  patches  to  fix  security  vulnerabilities  to  its 
most  secure  operating  system,  Windows  NT  4.0. 36  The  recent  unveiling  of  Microsoft  Windows  2000 
Professional  is  another  example  of  the  practice  of  shipping  faulty  software.  Days  after  its  debut,  hackers 
found  a  security  bug  that  would  enable  intruders  to  access  the  main  Windows  operating  system  root 
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directory  and  connect  to  resources  using  the  Administrator’s  account  and  a  blank  password  37  This  hole 
could  provide  the  hacker  a  means  to  access  a  company’s  computer  and  network  system,  thereby  causing 
major  disruptions  to  the  company’s  database.  These  vulnerabilities  are  just  the  tip  of  the  iceberg.  Now 
more  than  ever,  the  government  and  private  sectors  need  to  take  responsibility  for  the  protection  of  the 
nation’s  information  infrastructure. 

RESPONSIBILITIES 

Even  the  most  robust  information  infrastructure  defense  will  not  provide  100  percent  protection 
against  cyberattacks.  Business,  government,  military,  law  enforcement  and  ultimately  the  nation’s 
security  depend  upon  a  shared  information  system  that  can  be  vulnerable  to  attack.  Unfortunately,  all  our 
critical  banking,  transportation  data,  electrical  grids  and  95  percent  of  DoD’s  unclassified  data  traffic  travel 
via  relatively  open  communication  lines.  A  1994  Joint  Commission’s  Report  on  Redefining  Security 
warned  that  if  an  enemy  targeted  our  nation’s  unprotected  civilian  information  infrastructure,  the  economic 
and  military  results  would  be  disastrous.  According  to  the  new  information-operations  vision,  business, 
government,  law  enforcement,  and  national  security  are  all  bound  together  by  their  shared  information 
systems.39  Protecting  the  nation’s  information  infrastructure  must  be  a  team  approach  involving 
cooperation  between  government  agencies  and  the  private  sector.  Because  both  the  government  and 
private  industry  face  the  same  threats,  there  must  be  a  shared  response.  Each  has  a  responsibility  to 
ensure  the  nation’s  information  infrastructure  is  protected  against  cyberattacks. 


GOVERNMENT  SECURITY  STRATEGY 

President  Clinton  has  outlined  in  the  1999  National  Security  Strategy,  the  major  threats  to  our 
nation’s  information  infrastructure. 


We  also  face  threats  to  critical  national  infrastructures,  which  increasingly  could  take  the 
form  of  a  cyber-attack  in  addition  to  physical  attack  or  sabotage,  and  could  originate,  from 
terrorist  or  criminal  groups  as  well  as  hostile  states. ... 

...This  threat  is  a  mix  of  traditional  and  non-traditional  intelligence  adversaries  that  have 
targeted  American  military,  diplomatic,  technological,  economic  and  commercial  secrets. 

Some  foreign  intelligence  services  are  rapidly  adopting  new  technologies  and  innovative 
methods  to  obtain  such  secrets,  including  attempts  to  use  the  global  information 
infrastructure  to  gain  access  to  sensitive  information  via  penetration  of  computer  systems 
and  networks.  We  must  be  concerned  about  efforts  by  non-state  actors,  including 
legitimate  organizations,  both  quasi-governmental  and  private,  and  illicit  international 
criminal  organizations  to  penetrate  and  subvert  government  institutions  or  critical  sectors 
of  our  economy.40 

The  military  has  taken  the  challenge  addressed  in  the  National  Security  Strategy  and  outlined  its 
strategy  in  the  National  Military  Strategy. 

Some  state  or  nonstate  actors  may  resort  to  asymmetric  means  to  counter  the  US 
military.  Such  means  include  unconventional  or  inexpensive  approaches  that  circumvent 
our  strengths,  exploit  our  vulnerabilities,  or  confront  us  in  ways  we  cannot  match  in  kind. 
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Of  special  concern  are  terrorism,  the  use  or  threatened  use  of  WMD  and  information 
warfare.  These  three  risks  in  particular  have  the  potential  to  threaten  the  US  homeland 
and  population  directly  and  to  deny  us  access  to  critical  overseas  infrastructure  41 


PRESIDENTIAL  DECISION  DIRECTIVE  63  (PDD-63) 

On  May  22, 1998,  the  President  issued  Presidential  Decision  Directive  63  calling  for  a  national 
effort  to  assure  the  security  of  the  vulnerable  and  interconnected  cyber-based  infrastructure.  It  called  for 
a  joint  public-private  action  to  protect  our  critical  infrastructures.  PDD-63  organized  the  following  Federal 

42 

Government  agencies  to  meet  the  growing  cyber-based  challenge. 

National  Coordinator  for  Security,  Critical  Infrastructure  and  Counter-Terrorism  at  the 
White  House  National  Security  Council  (NSC)  oversees  national  policy  development  and 
implementation  for  critical  infrastructure  protection.  The  National  Coordinator  is  a 
member  of  the  Cabinet-level  Principals  Committee,  and  advises  the  President  and  the 
National  Security  Advisor  on  policy  and  implementation  issues  as  they  relate  to  our 
national  critical  infrastructures.  The  NSC  Senior  Director  for  Critical  Infrastructure 
supports  him  43 

The  Critical  Infrastructure  Assurance  Office  (CIAO),  an  interagency  office  housed  at  the 
Commerce  Department,  supports  Plan  development  with  Government  Agencies  and  the 
private  sector.  The  Office  is  also  responsible  for  assisting  Agencies  in  identifying  their 
dependencies  on  critical  infrastructures,  and  coordinating  a  national  education  and 
awareness  program,  legislative  issues,  and  public  affairs.44 

The  National  Infrastructure  Protection  Center  (NIPC),  an  interagency  office  at  the  FBI, 
serves  as  a  threat  assessment  center  focusing  on  threat  warnings,  vulnerabilities,  and 
law  enforcement.  The  NIPC  includes  representatives  from  the  FBI,  Department  of 
Defense,  United  States  Secret  Service,  Intelligence  Agencies,  and  other  Government 
Agencies.45 


NATIONAL  PLAN  FOR  INFORMATION  SYSTEMS  PROTECTION 

On  January  7,  2000,  the  White  House  released  the  plan  to  identify  a  means  to  protect  the  United 
States’  information  infrastructure  through  improved  public/private  sector  cooperation.  This  plan  came 
about  as  a  result  of  the  President’s  Commission  Report  on  Critical  Infrastructure  Protection,  which  cited 
that  protection  of  the  nation’s  critical  information  infrastructure  required  a  new  form  of  cooperation 
between  the  government  and  the  private  sector.46  The  President’s  plan  is  laden  with  milestones  to 
achieve  a  successful  partnership  to  help  tighten  up  the  security  of  our  nation’s  information  infrastructure. 

PRIVATE  SECTOR 

Despite  the  government’s  efforts,  the  main  burden  of  protecting  the  nation’s  information 
infrastructure  must  come  from  the  private  sector.  The  government  should  only  be  in  a  supporting  role. 
The  private  sector  has  a  major  stake  in  the  protection  of  the  nation’s  information  infrastructure.  With  a 
great  deal  of  business  and  financial  transactions  as  well  as  over  95  percent  of  DoD’s  unclassified 
communications  utilizing  the  Nil,47  it  is  the  responsibility  of  the  private  sector  to  ensure  the  security  of  its 
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networks  and  computer  systems.  The  private  sector  must  have  a  robust  network  and  network  security 
program  complete  with  trained  systems  administrators  and  a  solid  antivirus  protection  program.  The 
private  sector  has  the  expertise  and  capital  necessary  to  improve  network  and  computer  security  through 
innovations  in  commercial  systems.  However,  there  are  several  issues  that  still  must  be  resolved  if  the 
United  States  is  going  to  have  a  viable  information  protection  program. 

ISSUES 

In  the  areas  of  diagnosing,  detecting,  and  responding  to  cyberattack,  intrusion  detection 
technologies  are  still  in  their  infancy.  Today,  the  United  States  has  limited  ability  to  detect  or  recognize  a 
cyberattack  against  either  government  or  private  sector  infrastructures,  and  even  less  capability  to  react. 

A  growing  battle  will  continue  between  the  need  for  security  and  user  accessibility  in  corporate  and 
government  offices.  The  question  of  encryption  and  growing  legal  issues  will  continue  to  cause  much 
discussion.  Further,  information  sharing  will  be  a  huge  issue  as  many  private  sector  entities  are  reluctant 
to  share  information  about  computer  intrusions,  fearing  adverse  press  coverage  and  public  reaction.  The 
apparent  lack  of  qualified  computer  specialists  will  have  a  significant  impact  on  the  nation’s  ability  to 
investigate  attacks  against  the  Nil.  These  are  some  of  the  issues  that  must  be  addressed  for  the  United 
States  to  achieve  a  viable  protection  posture  against  information  warfare  attacks  against  its  National 
Information  Infrastructure. 

INTRUSION  DETECTION 

Real-time  intrusion  detection  is  a  key  element  in  any  set  of  defenses.  The  United  States’  ability  to 
detect,  in  real  time,  intrusions  into  our  systems  and  to  identify  the  intruder  is  currently  very  limited.  An 
information  attack  can  happen  in  a  matter  of  seconds  and  damage  can  occur  in  an  instant.  An  automated 
capability  to  respond  to  an  intrusion,  which  can  prevent  or  limit  the  damage  to  valuable  computer  and 
network  systems,  is  imperative.48 

SECURITY  VS  ACCESSIBILITY 

Maximum  security  and  easy  accessibility  are  not  compatible.  There  has  always  been  a  battle 
between  security  and  functional  users.  Consequently,  because  businesses  prefer  user-friendly 
equipment,  because  of  profits  or  ease  of  use,  system  security  usually  takes  second  priority.  The 
phenomenal  growth  of  computer  on-line  services  and  the  Internet,  only  serves  to  compound  the  problem. 
As  a  result,  computer-related  crimes  become  easier  to  perpetuate  and  more  difficult  to  identify, 

49 

investigate,  and  prove. 

INFORMATION  SHARING 

The  extent  of  attacks  on  U.S.  corporations  is  difficult  to  estimate.  In  some  cases,  companies  do 
not  even  recognize  the  extent  of  the  losses,  in  others,  they  fear  the  negative  publicity.  As  a  result,  new 
procedures  needed  to  be  developed  to  provide  a  “trusted”  forum  to  assure  companies  that  reporting  their 
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vulnerabilities  to  government  or  other  private  sector  agencies  would  not  jeopardize  the  company’s 
operations  or  provide  an  advantage  to  the  company’s  competitors.  Seeing  this  need,  PDD-63  has 
recommended  that  the  private  sector,  in  cooperation  with  the  Federal  Government,  establish  Information 
Sharing  and  Analysis  Centers  (ISACs),  to  facilitate  public-private  information  sharing  on  threats, 
vulnerabilities,  anomalies  and  intrusions.  If  properly  utilized,  ISACs  could  serve  as  a  means  to  gather, 
analyze,  sanitize,  and  disseminate  private  sector  information  to  both  industry  and  to  the  FBI’s  National 
Infrastructure  Protection  Center.50  However,  the  private  sector  will  ultimately  decide  whether  to 
participate  in  ISACs  and  what  form  these  entities  will  take.51 

ENCRYPTION 

Increased  protection  against  cyberattack  can  be  achieved  through  encryption  technology.  Strong 
digital-signature  based  authentication  used  to  provide  positive  access  control  is  perhaps  one  of  the  most 
powerful  tools  in  protection  against  cyberattack.  Encryption  can  be  applied  to  desktops,  file  servers,  and 

52 

across  networks  to  assure  the  privacy  of  sensitive  government,  business,  and  personal  information. 
Computer  Systems  Policy  Project,  a  coalition  of  CEOs  representing  several  U.S.  computer  companies, 
estimated  that  without  strong  encryption,  financial  losses  as  a  result  of  computer  security  breaches  could 
reach  $80  billion  by  the  end  of  year  2000.53 

The  Public  Key  Infrastructure  (PKI),  a  system  of  digital  certificates  and  certificate  authorities  used 
to  verify  and  authenticate  the  validity  of  each  party  involved  in  an  Internet  transaction  has  been  critical  to 
the  widespread  use  of  electronic  commerce.  However,  PKI  has  limitations  like  any  other  security  solution. 
If  the  key  to  unlock  the  encrypted  code  of  the  message,  commonly  called  the  private  key,  is  lost  or 
compromised,  privacy  is  jeopardized.  Private  keys,  if  left  unprotected  by  a  careless  employee,  can  be 
copied  and  used  by  unauthorized  people.54  Sound  security  procedures  must  be  set  up  to  reduce  the 
chances  of  compromise. 

However,  the  real  issue  is  not  the  use,  but  the  exportation  of  encryption  technology.  While  U.S. 
companies  want  unlimited  export  of  the  128-bit  encryption  technology  to  friendly  nations  in  order  to 
compete  in  the  global  market,  national  security  organizations  fear  that  uncontrolled  export  of  strong 
powerful  encryption  technology  without  a  decryption  feature  has  the  potential  to  be  used  by  hackers  to 
conceal  their  illegal  operations  from  law  enforcement  agencies.  There  have  been  several  bills  introduced 
in  Congress  that  address  certain  aspects  of  the  encryption  issue.  However,  most  of  these  legislative 
proposals  largely  removes  existing  export  controls  on  encryption  products,  and  open  up  the  opportunity  to 
promote  the  widespread  availability  and  use  of  uncrackable  encryption  products  to  anyone  regardless  of 
the  impact  on  public  safety  and  national  security.55 
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LEGAL 


Many  of  our  current  laws  and  regulations  have  not  caught  up  with  the  new  Information  Age 
paradigm.56  Current  legal,  cultural  and  organizational  establishments  intended  to  deal  with  threats  to 
national  security  are  woefully  behind  the  pace  of  technological  change. 

Since  cyberspace  recognizes  no  borders,  international  agreements  and  laws  are  necessary.  This 
is  critical  because  many  information  systems  are  not  only  national,  but  also  worldwide.  An  aggressive 
domestic  and  international  law  enforcement  policy  could  have  a  deterrent  effect  on  potential 
adversaries.57 

Because  the  threats  are  borderless,  one  major  implication  is  that  it  may  be  very  difficult  to  attribute 
a  particular  computer  network  attack  to  a  foreign  state,  and  to  characterize  its  intent  and  motive.  Another 
major  implication  is  that  an  attacker  may  not  be  physically  present  at  the  place  where  the  effects  of  the 
attack  are  felt.  This  will  complicate  the  application  of  traditional  rules  of  international  law  that  were 
developed  in  response  to  territorial  invasions  and  physical  attacks  by  troops,  aircraft,  vehicles,  vessels 
and  weapons  that  the  victim  could  see  and  touch,  and  whose  sponsor  was  usually  readily  apparent. 

CYBERCOPS 

Recent  hacker  attacks  in  February  2000  against  corporate  Web  sites  such  as  eBay,  E-Trade  and 
others  have  uncovered  a  problem  that  may  have  long  term  consequences.  There  is  an  apparent  lack  of 
computer  security  experts  available  to  investigate  cyberattacks.  Lured  by  private  security  firms  offering 
$150,000  to  $200,000,  which  in  most  cases  is  twice  their  government  paychecks,  high-caliber  forensic 
computer  experts  are  leaving  law  enforcement  and  government  service.  The  nation  only  has  several 
hundred  of  these  highly  qualified  experts  to  investigate  an  ever-increasing  amount  of  cyberattacks.  The 
implication  is  that  several  cases  may  not  be  solved  because  of  lack  of  qualified  personnel  and  resources. 
The  Clinton  administration,  in  an  attempt  to  solve  this  problem,  is  requesting  an  additional  $37  Million  to 
hire  and  train  159  prosecutors  and  computer  analysts  as  well  as  build  10  computer  forensic  labs  around 

58 

the  country.  However,  this  may  not  be  enough  to  stem  the  tide. 

RECOMMENDATIONS 

Despite  the  government's  attempts  to  counter  information  warfare  through  public/private  sector 
cooperation,  and  common  sense  security  precautions,  like  virus  protection,  password  security  procedures 
and  more  network  administrator  training;  there  are  several  ways  the  United  States  can  start  being 
proactive  instead  of  reactive  in  its  defense  against  information  warfare. 

1)  Put  more  teeth  in  the  FBI’s  efforts  to  pursue  hackers  by  establishing  national  and  international 
laws  against  hackers.  To  have  an  adequate  information  protection  program,  hackers  must  perceive  there 
is  a  realistic  threat  of  arrest  and  punishment.  A  strong  national  law  and  a  worldwide  law  enforced  by  the 
World  Court  and  backed  by  United  Nations’  resolutions  would  help  deter  hackers  who  would  otherwise 
conduct  their  cyberattacks  against  the  United  States  and  other  countries.  However,  in  order  for  these 
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types  of  laws  to  be  effective  they  must  be  enforced.  A  law  without  teeth  will  not  be  taken  seriously  and 
will  not  be  a  viable  deterrent. 

2)  Accomplish  a  nation-wide  test  of  the  information  infrastructure  vulnerabilities  to  identify  weak 
areas  and  establish  work  around  procedures  in  case  of  a  cyberattack.  A  test  to  uncover  weak  areas  in 
the  nation's  information  infrastructure  would  enable  both  government  and  the  private  sector  to  adequately 
rate  their  systems  and  take  corrective  action  to  bring  their  systems  up  to  standards.  It  would  also  provide 
a  means  to  work  on  some  worst  case  cyberattack  scenarios.  The  challenge  will  be  what  to  do  with  private 
sector  industries  that  either  deny  permission  or  fail  to  meet  established  security  standards.  Will  they  be 
denied  access  to  the  nation’s  information  infrastructure?  Will  the  analysis  of  their  vulnerabilities  be 
protected  from  unauthorized  release? 

3)  Direct  government  agencies  to  bring  their  information  system  security  status  up  to  established 
security  standards  and  have  their  progress  monitored  by  the  National  Infrastructure  Protection  Center 
(NIPC).  The  federal  government  needs  to  set  the  standard  for  network  and  computer  security.  Their 
compliance  should  be  graded  and  carefully  monitored  by  the  NIPC.  The  NIPC  acting,  as  an  independent 
agency  should  provide  a  rating  on  how  well  the  agencies  conform  to  established  standards.  The 
challenge  will  be  to  ensure  that  information  system  security  standards  are  consistently  evaluated  and 
updated  to  reflect  new  technology. 

4)  Provide  incentives  to  industry  and  private  sector  companies  that  reach  or  exceed 
federal/private  sector  coordinated  network  and  computer  security  standards  either  through  tax  breaks  or 
“special”  incentives.  Profits  or  lower  costs  motivate  industry  and  private  sector  agencies.  If  the 
government  could  provide  incentives  such  as  tax  breaks;  private  sector  companies  would  be  financially 
motivated  to  improve  their  network  and  computer  security  programs.  Their  security  standards  should  be 
evaluated  by  the  NIPC  and  if  they  have  met  or  exceeded  those  standards,  those  companies  should  be 
"rewarded."  The  challenge  will  be  to  ensure  that  the  incentive  program  remains  viable  and  does  not 
become  overloaded  with  governmental  bureaucratic  criteria  that  could  jeopardize  the  improvement  efforts 
of  the  private  sector  network  and  computer  security  programs.  Also,  if  the  private  sector  primarily  relies 
on  financial  incentives  as  motivation  to  improve  their  security  programs,  what  happens  if  the  government 
decides  to  change  its  incentive  policy? 

5)  There  must  be  a  cooperative  effort  between  U.S.  industry  and  national  security  agencies  on 
the  exportation  of  encryption  technology.  An  established  standard  must  be  agreed  upon  between  private 
sector  and  federal  agencies  to  prevent  exporting  the  most  sophisticated  encryption  technology  to  other 
countries.  The  challenge  is  to  apply  the  encryption  technology  in  a  way  to  effectively  protect  our  critical 
infrastructure  while  at  the  same  time  meet  the  demands  of  global  electronic  commerce.  There  needs  to 
be  countermeasures,  procedures,  and  realistic  export  laws  established  to  deter  hackers,  from  using 
illegally  obtained  encryption  technology  while  at  the  same  time  fostering  secure  worldwide  e-commerce. 
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CONCLUSION 

In  order  to  accomplish  these  initiatives,  the  U.S.  government  will  need  to  make  defense  of  the 
nation’s  information  infrastructure  a  top  priority  and  put  money  and  human  resources  to  tackling  this 
potential  “threat.”  The  United  States  can  ill  afford  to  take  “Infowar”  lightly.  The  United  States  is  the  most 
technologically  capable  country  in  the  world.  Therefore,  the  United  States  is  the  most  vulnerable  to 
information  warfare  due  to  its  dependence  upon  critical  infrastructures  and  widespread  commitments 
across  the  globe.  The  challenge  is  to  find  ways  to  protect  our  own  information  systems  in  order  to  protect 
the  integrity  of  both  the  military  operations  and  the  wider  social  functions,  which  depend  upon  them. 
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